You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Mahesh Bandal <ma...@gmail.com> on 2021/01/29 11:31:58 UTC

Review Request 73165: RANGER-3168: User/Auditor should have read-only access for Servicedef via PublicAPIsv2 API

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73165/
-----------------------------------------------------------

Review request for ranger, Ankita Sinha, Dhaval Shah, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.


Bugs: RANGER-3168
    https://issues.apache.org/jira/browse/RANGER-3168


Repository: ranger


Description
-------

Following GET API's should be accessible for other users.

GET API: /service/public/v2/api/servicedef/
GET API: /service/public/v2/api/servicedef/{id}
GET API: /service/public/v2/api/servicedef/name/{name}

If a user has permissions on the "Resource Based Policies" module, then he is be able to view servicedef using Ranger-UI and therefore he should be able to access servicedef using GET API- /service/public/v2/api/servicedef/


Diffs
-----

  security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 19b93e67c 


Diff: https://reviews.apache.org/r/73165/diff/1/


Testing
-------

1. User and Auditor can acess servicedef if they have permissions on the "Resource Based Policies" module.
2. KeyAdmin and KMSAuditor users can only access KMS servicedef.


Thanks,

Mahesh Bandal

Re: Review Request 73165: RANGER-3168: User/Auditor should have read-only access for Servicedef via PublicAPIsv2 API

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73165/#review222540
-----------------------------------------------------------


Ship it!




Ship It!

- Madhan Neethiraj


On Jan. 29, 2021, 11:31 a.m., Mahesh Bandal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73165/
> -----------------------------------------------------------
> 
> (Updated Jan. 29, 2021, 11:31 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3168
>     https://issues.apache.org/jira/browse/RANGER-3168
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Following GET API's should be accessible for other users.
> 
> GET API: /service/public/v2/api/servicedef/
> GET API: /service/public/v2/api/servicedef/{id}
> GET API: /service/public/v2/api/servicedef/name/{name}
> 
> If a user has permissions on the "Resource Based Policies" module, then he is be able to view servicedef using Ranger-UI and therefore he should be able to access servicedef using GET API- /service/public/v2/api/servicedef/
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 19b93e67c 
> 
> 
> Diff: https://reviews.apache.org/r/73165/diff/1/
> 
> 
> Testing
> -------
> 
> 1. User and Auditor can acess servicedef if they have permissions on the "Resource Based Policies" module.
> 2. KeyAdmin and KMSAuditor users can only access KMS servicedef.
> 
> 
> Thanks,
> 
> Mahesh Bandal
> 
>

Re: Review Request 73165: RANGER-3168: User/Auditor should have read-only access for Servicedef via PublicAPIsv2 API

Posted by Abhay Kulkarni <ak...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73165/#review222561
-----------------------------------------------------------


Ship it!




Ship It!

- Abhay Kulkarni


On Jan. 29, 2021, 11:31 a.m., Mahesh Bandal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73165/
> -----------------------------------------------------------
> 
> (Updated Jan. 29, 2021, 11:31 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3168
>     https://issues.apache.org/jira/browse/RANGER-3168
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Following GET API's should be accessible for other users.
> 
> GET API: /service/public/v2/api/servicedef/
> GET API: /service/public/v2/api/servicedef/{id}
> GET API: /service/public/v2/api/servicedef/name/{name}
> 
> If a user has permissions on the "Resource Based Policies" module, then he is be able to view servicedef using Ranger-UI and therefore he should be able to access servicedef using GET API- /service/public/v2/api/servicedef/
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 19b93e67c 
> 
> 
> Diff: https://reviews.apache.org/r/73165/diff/1/
> 
> 
> Testing
> -------
> 
> 1. User and Auditor can acess servicedef if they have permissions on the "Resource Based Policies" module.
> 2. KeyAdmin and KMSAuditor users can only access KMS servicedef.
> 
> 
> Thanks,
> 
> Mahesh Bandal
> 
>

Re: Review Request 73165: RANGER-3168: User/Auditor should have read-only access for Servicedef via PublicAPIsv2 API

Posted by Mahesh Bandal <ma...@gmail.com>.

> On Feb. 3, 2021, 6:55 p.m., Abhay Kulkarni wrote:
> > security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
> > Line 127 (original), 127 (patched)
> > <https://reviews.apache.org/r/73165/diff/1/?file=2245876#file2245876line127>
> >
> >     Is a normal user allowed to see KMS service-def? The code changes seem to open up all service-definitions to all users. Please clarify.

Normal users are not allowed to see KMS service-def. As per this change, authorization will be handled by functions of ServiceREST class. ie. serviceREST.getServiceDef(id), serviceREST.getServiceDefByName(name), serviceREST.getServiceDefs(request)

KeyAdmin and KMSAuditor role users can only access KMS service-def.
KeyAdmin and KMSAuditor role users can't see other service-def such as hdfs, hive etc.

Admin, Auditor and User role users can't access KMS service-def.
Admin, Auditor and User role users can only access other service-def such as hdfs, hive etc.

Following API's will behave exactly the same (in terms of Authorization) as API's mentioned in ServiceREST class.
1. GET API: "/service/public/v2/api/servicedef/" <==> "/service/plugins/definitions/"
2. GET API: "/service/public/v2/api/servicedef/{id}" <==> "/service/plugins/definitions/{id}"
3. GET API: "/service/public/v2/api/servicedef/name/{name}" <==> "/service/plugins/definitions/name/{name}"

Current behavior of API's mentioned in ServiceREST class is as follows :
* If Auditor or Normal user does not have permission on the "Resource Based Policies", they can't access service-def using "/service/plugins/definitions/", nevertheless they can get service-def by "id" and "name" through API "/service/plugins/definitions/{id}" and "/service/plugins/definitions/name/{name}" respectively. This behaviour is because of current code at https://github.com/apache/ranger/blob/5df512439c85199abacb84675b91d0b704fb61f0/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java#L531 which is not present in getServiceDefByName() and getServiceDef(long id) functions of ServiceREST class.

* KeyAdmin, KMSAuditor role users can't see service-def which are accessible by Admin, Auditor, User role users and vice versa.

- Mahesh

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73165/#review222550
-----------------------------------------------------------

On Jan. 29, 2021, 11:31 a.m., Mahesh Bandal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73165/
> -----------------------------------------------------------
> 
> (Updated Jan. 29, 2021, 11:31 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3168
>     https://issues.apache.org/jira/browse/RANGER-3168
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Following GET API's should be accessible for other users.
> 
> GET API: /service/public/v2/api/servicedef/
> GET API: /service/public/v2/api/servicedef/{id}
> GET API: /service/public/v2/api/servicedef/name/{name}
> 
> If a user has permissions on the "Resource Based Policies" module, then he is be able to view servicedef using Ranger-UI and therefore he should be able to access servicedef using GET API- /service/public/v2/api/servicedef/
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 19b93e67c 
> 
> 
> Diff: https://reviews.apache.org/r/73165/diff/1/
> 
> 
> Testing
> -------
> 
> 1. User and Auditor can acess servicedef if they have permissions on the "Resource Based Policies" module.
> 2. KeyAdmin and KMSAuditor users can only access KMS servicedef.
> 
> 
> Thanks,
> 
> Mahesh Bandal
> 
>

Re: Review Request 73165: RANGER-3168: User/Auditor should have read-only access for Servicedef via PublicAPIsv2 API

Posted by Abhay Kulkarni <ak...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73165/#review222550
-----------------------------------------------------------




security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
Line 127 (original), 127 (patched)
<https://reviews.apache.org/r/73165/#comment311648>

    Is a normal user allowed to see KMS service-def? The code changes seem to open up all service-definitions to all users. Please clarify.


- Abhay Kulkarni


On Jan. 29, 2021, 11:31 a.m., Mahesh Bandal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73165/
> -----------------------------------------------------------
> 
> (Updated Jan. 29, 2021, 11:31 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3168
>     https://issues.apache.org/jira/browse/RANGER-3168
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Following GET API's should be accessible for other users.
> 
> GET API: /service/public/v2/api/servicedef/
> GET API: /service/public/v2/api/servicedef/{id}
> GET API: /service/public/v2/api/servicedef/name/{name}
> 
> If a user has permissions on the "Resource Based Policies" module, then he is be able to view servicedef using Ranger-UI and therefore he should be able to access servicedef using GET API- /service/public/v2/api/servicedef/
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 19b93e67c 
> 
> 
> Diff: https://reviews.apache.org/r/73165/diff/1/
> 
> 
> Testing
> -------
> 
> 1. User and Auditor can acess servicedef if they have permissions on the "Resource Based Policies" module.
> 2. KeyAdmin and KMSAuditor users can only access KMS servicedef.
> 
> 
> Thanks,
> 
> Mahesh Bandal
> 
>